Skip to content

Add HTTP client options for SSL/TLS methods #530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
May 25, 2015
Merged

Add HTTP client options for SSL/TLS methods #530

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2031686
Add HTTP client options for SSL/TLS options/ciphers
May 22, 2015
4f7fb06
[squashable] Comments from @deanberris
May 22, 2015
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions boost/network/protocol/http/client/async_impl.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,8 @@ struct async_client
optional<string_type> const& certificate_filename,
optional<string_type> const& verify_path,
optional<string_type> const& certificate_file,
optional<string_type> const& private_key_file)
optional<string_type> const& private_key_file,
optional<string_type> const& ciphers, long ssl_options)
: connection_base(cache_resolved, follow_redirect, timeout),
service_ptr(service.get()
? service
Expand All @@ -54,6 +55,8 @@ struct async_client
verify_path_(verify_path),
certificate_file_(certificate_file),
private_key_file_(private_key_file),
ciphers_(ciphers),
ssl_options_(ssl_options),
always_verify_peer_(always_verify_peer) {
connection_base::resolver_strand_.reset(
new boost::asio::io_service::strand(service_));
Expand All @@ -79,7 +82,8 @@ struct async_client
typename connection_base::connection_ptr connection_;
connection_ = connection_base::get_connection(
resolver_, request_, always_verify_peer_, certificate_filename_,
verify_path_, certificate_file_, private_key_file_);
verify_path_, certificate_file_, private_key_file_, ciphers_,
ssl_options_);
return connection_->send_request(method, request_, get_body, callback,
generator);
}
Expand All @@ -93,6 +97,8 @@ struct async_client
optional<string_type> verify_path_;
optional<string_type> certificate_file_;
optional<string_type> private_key_file_;
optional<string_type> ciphers_;
long ssl_options_;
bool always_verify_peer_;
};
} // namespace impl
Expand Down
6 changes: 4 additions & 2 deletions boost/network/protocol/http/client/connection/async_base.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,9 @@ struct async_connection_base {
optional<string_type> certificate_filename = optional<string_type>(),
optional<string_type> const &verify_path = optional<string_type>(),
optional<string_type> certificate_file = optional<string_type>(),
optional<string_type> private_key_file = optional<string_type>()) {
optional<string_type> private_key_file = optional<string_type>(),
optional<string_type> ciphers = optional<string_type>(),
long ssl_options = 0) {
typedef http_async_connection<Tag, version_major, version_minor>
async_connection;
typedef typename delegate_factory<Tag>::type delegate_factory_type;
Expand All @@ -53,7 +55,7 @@ struct async_connection_base {
delegate_factory_type::new_connection_delegate(
resolver.get_io_service(), https, always_verify_peer,
certificate_filename, verify_path, certificate_file,
private_key_file)));
private_key_file, ciphers, ssl_options)));
BOOST_ASSERT(temp.get() != 0);
return temp;
}
Expand Down
9 changes: 5 additions & 4 deletions boost/network/protocol/http/client/connection/connection_delegate_factory.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,14 @@ struct connection_delegate_factory {
asio::io_service& service, bool https, bool always_verify_peer,
optional<string_type> certificate_filename,
optional<string_type> verify_path, optional<string_type> certificate_file,
optional<string_type> private_key_file) {
optional<string_type> private_key_file, optional<string_type> ciphers,
long ssl_options) {
connection_delegate_ptr delegate;
if (https) {
#ifdef BOOST_NETWORK_ENABLE_HTTPS
delegate.reset(new ssl_delegate(service, always_verify_peer,
certificate_filename, verify_path,
certificate_file, private_key_file));
delegate.reset(new ssl_delegate(
service, always_verify_peer, certificate_filename, verify_path,
certificate_file, private_key_file, ciphers, ssl_options));
#else
BOOST_THROW_EXCEPTION(std::runtime_error("HTTPS not supported."));
#endif /* BOOST_NETWORK_ENABLE_HTTPS */
Expand Down
5 changes: 4 additions & 1 deletion boost/network/protocol/http/client/connection/ssl_delegate.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,8 @@ struct ssl_delegate : connection_delegate,
optional<std::string> certificate_filename,
optional<std::string> verify_path,
optional<std::string> certificate_file,
optional<std::string> private_key_file);
optional<std::string> private_key_file,
optional<std::string> ciphers, long ssl_options);

virtual void connect(asio::ip::tcp::endpoint &endpoint, std::string host,
function<void(system::error_code const &)> handler);
Expand All @@ -45,6 +46,8 @@ struct ssl_delegate : connection_delegate,
optional<std::string> verify_path_;
optional<std::string> certificate_file_;
optional<std::string> private_key_file_;
optional<std::string> ciphers_;
long ssl_options_;
scoped_ptr<asio::ssl::context> context_;
scoped_ptr<asio::ssl::stream<asio::ip::tcp::socket> > socket_;
bool always_verify_peer_;
Expand Down
22 changes: 17 additions & 5 deletions boost/network/protocol/http/client/connection/ssl_delegate.ipp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,20 +14,31 @@
boost::network::http::impl::ssl_delegate::ssl_delegate(
asio::io_service &service, bool always_verify_peer,
optional<std::string> certificate_filename,
optional<std::string> verify_path, optional<std::string> certificate_file,
optional<std::string> private_key_file)
optional<std::string> verify_path,
optional<std::string> certificate_file,
optional<std::string> private_key_file,
optional<std::string> ciphers,
long ssl_options)
: service_(service),
certificate_filename_(certificate_filename),
verify_path_(verify_path),
certificate_file_(certificate_file),
private_key_file_(private_key_file),
ciphers_(ciphers),
ssl_options_(ssl_options),
always_verify_peer_(always_verify_peer) {}

void boost::network::http::impl::ssl_delegate::connect(
asio::ip::tcp::endpoint &endpoint, std::string host,
function<void(system::error_code const &)> handler) {
context_.reset(
new asio::ssl::context(service_, asio::ssl::context::sslv23_client));
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, this sslv23_client eventually uses the OpenSSL: ::SSLv23_client_method(), which combined with the recommended: SSL_OP_NO_SSLv3 | SSL_OP_NO_SSLv2 options will negotiate the maximum supported TLS client version. On a base Ubuntu14.04 with OpenSSL 1.0.1f 6 Jan 2014, this implementation, with -DSSL_TXT_TLSV1_2 negotiates TLS1.2 fine.

In our projects we add to CMakeLists.txt

# Make sure the OpenSSL/ssl library has a TLS client method.
# Prefer the highest version of TLS, but accept 1.2, 1.1, or 1.0.
include(CheckLibraryExists)
CHECK_LIBRARY_EXISTS(${OPENSSL_SSL_LIBRARY} "TLSv1_2_client_method" "" OPENSSL_TLSV12)
CHECK_LIBRARY_EXISTS(${OPENSSL_SSL_LIBRARY} "TLSv1_1_client_method" "" OPENSSL_TLSV11)
CHECK_LIBRARY_EXISTS(${OPENSSL_SSL_LIBRARY} "TLSv1_client_method" "" OPENSSL_TLSV10)

# Add a define based on the highest TLS version found. Fatal if no TLS client.
if(OPENSSL_TLSV12)
  add_definitions(-DSSL_TXT_TLSV1_2)
elseif(OPENSSL_TLSV11)
  add_definitions(-DSSL_TXT_TLSV1_1)
elseif(OPENSSL_TLSV10)
  add_definitions(-DSSL_TXT_TLSV1)
else()
  message(FATAL "Cannot find any TLS client methods")
endif()

if (ciphers_) {
::SSL_CTX_set_cipher_list(context_->native_handle(), ciphers_->c_str());
}
if (ssl_options_ != 0) {
context_->set_options(ssl_options_);
}
if (certificate_filename_ || verify_path_) {
context_->set_verify_mode(asio::ssl::context::verify_peer);
if (certificate_filename_)
Expand All @@ -36,9 +47,10 @@ void boost::network::http::impl::ssl_delegate::connect(
} else {
if (always_verify_peer_) {
context_->set_verify_mode(asio::ssl::context::verify_peer);
context_->set_default_verify_paths(); // use openssl default verify paths. uses openssl environment variables SSL_CERT_DIR, SSL_CERT_FILE
}
else
// use openssl default verify paths. uses openssl environment variables
// SSL_CERT_DIR, SSL_CERT_FILE
context_->set_default_verify_paths();
} else
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This formatting looks weird to me. Please make consistent with the surrounding code, and don't use tab characters... if you can run clang-format on it using the .clang-format configuration in the root of the package.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting. I used the cpp-netlib's .clang-format and clang-format version 3.5.0 (tags/RELEASE_350/final), it should have picked up "UseTab: false".

context_->set_verify_mode(asio::ssl::context::verify_none);
}
if (certificate_file_)
Expand Down
22 changes: 13 additions & 9 deletions boost/network/protocol/http/client/connection/sync_base.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -245,22 +245,26 @@ struct sync_connection_base {
// optional
// ranges
static sync_connection_base<Tag, version_major, version_minor>*
new_connection(
resolver_type& resolver, resolver_function_type resolve, bool https,
bool always_verify_peer, int timeout,
optional<string_type> const& certificate_filename =
optional<string_type>(),
optional<string_type> const& verify_path = optional<string_type>(),
optional<string_type> const& certificate_file = optional<string_type>(),
optional<string_type> const& private_key_file = optional<string_type>()) {
new_connection(
resolver_type& resolver, resolver_function_type resolve, bool https,
bool always_verify_peer, int timeout,
optional<string_type> const& certificate_filename =
optional<string_type>(),
optional<string_type> const& verify_path = optional<string_type>(),
optional<string_type> const& certificate_file =
optional<string_type>(),
optional<string_type> const& private_key_file =
optional<string_type>(),
optional<string_type> const& ciphers = optional<string_type>(),
long ssl_options = 0) {
if (https) {
#ifdef BOOST_NETWORK_ENABLE_HTTPS
return dynamic_cast<
sync_connection_base<Tag, version_major, version_minor>*>(
new https_sync_connection<Tag, version_major, version_minor>(
resolver, resolve, always_verify_peer, timeout,
certificate_filename, verify_path, certificate_file,
private_key_file));
private_key_file, ciphers, ssl_options));
#else
throw std::runtime_error("HTTPS not supported.");
#endif
Expand Down
10 changes: 9 additions & 1 deletion boost/network/protocol/http/client/connection/sync_ssl.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,9 @@ struct https_sync_connection
optional<string_type>(),
optional<string_type> const& verify_path = optional<string_type>(),
optional<string_type> const& certificate_file = optional<string_type>(),
optional<string_type> const& private_key_file = optional<string_type>())
optional<string_type> const& private_key_file = optional<string_type>(),
optional<string_type> const& ciphers = optional<string_type>(),
long ssl_options = 0)
: connection_base(),
timeout_(timeout),
timer_(resolver.get_io_service()),
Expand All @@ -65,6 +67,12 @@ struct https_sync_connection
context_(resolver.get_io_service(),
boost::asio::ssl::context::sslv23_client),
socket_(resolver.get_io_service(), context_) {
if (ciphers) {
::SSL_CTX_set_cipher_list(context_.native_handle(), ciphers->c_str());
}
if (ssl_options != 0) {
context_.set_options(ssl_options);
}
if (certificate_filename || verify_path) {
context_.set_verify_mode(boost::asio::ssl::context::verify_peer);
// FIXME make the certificate filename and verify path parameters
Expand Down
4 changes: 2 additions & 2 deletions boost/network/protocol/http/client/facade.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,8 +162,8 @@ struct basic_client_facade {
options.cache_resolved(), options.follow_redirects(),
options.always_verify_peer(), options.openssl_certificate(),
options.openssl_verify_path(), options.openssl_certificate_file(),
options.openssl_private_key_file(), options.io_service(),
options.timeout()));
options.openssl_private_key_file(), options.openssl_ciphers(),
options.openssl_options(), options.io_service(), options.timeout()));
}
};

Expand Down
24 changes: 24 additions & 0 deletions boost/network/protocol/http/client/options.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ struct client_options {
openssl_verify_path_(),
openssl_certificate_file_(),
openssl_private_key_file_(),
openssl_ciphers_(),
openssl_options_(0),
io_service_(),
always_verify_peer_(false),
timeout_(0) {}
Expand All @@ -38,6 +40,8 @@ struct client_options {
openssl_verify_path_(other.openssl_verify_path_),
openssl_certificate_file_(other.openssl_certificate_file_),
openssl_private_key_file_(other.openssl_private_key_file_),
openssl_ciphers_(other.openssl_ciphers_),
openssl_options_(other.openssl_options_),
io_service_(other.io_service_),
always_verify_peer_(other.always_verify_peer_),
timeout_(other.timeout_) {}
Expand All @@ -55,6 +59,8 @@ struct client_options {
swap(openssl_verify_path_, other.openssl_verify_path_);
swap(openssl_certificate_file_, other.openssl_certificate_file_);
swap(openssl_private_key_file_, other.openssl_private_key_file_);
swap(openssl_ciphers_, other.openssl_ciphers_);
swap(openssl_options_, other.openssl_options_);
swap(io_service_, other.io_service_);
swap(always_verify_peer_, other.always_verify_peer_);
swap(timeout_, other.timeout_);
Expand Down Expand Up @@ -90,6 +96,16 @@ struct client_options {
return *this;
}

client_options& openssl_ciphers(string_type const& v) {
openssl_ciphers_ = v;
return *this;
}

client_options& openssl_options(long o) {
openssl_options_ = o;
return *this;
}

client_options& io_service(boost::shared_ptr<boost::asio::io_service> v) {
io_service_ = v;
return *this;
Expand Down Expand Up @@ -125,6 +141,12 @@ struct client_options {
return openssl_private_key_file_;
}

boost::optional<string_type> openssl_ciphers() const {
return openssl_ciphers_;
}

long openssl_options() const { return openssl_options_; }

boost::shared_ptr<boost::asio::io_service> io_service() const {
return io_service_;
}
Expand All @@ -140,6 +162,8 @@ struct client_options {
boost::optional<string_type> openssl_verify_path_;
boost::optional<string_type> openssl_certificate_file_;
boost::optional<string_type> openssl_private_key_file_;
boost::optional<string_type> openssl_ciphers_;
long openssl_options_;
boost::shared_ptr<boost::asio::io_service> io_service_;
bool always_verify_peer_;
int timeout_;
Expand Down
3 changes: 2 additions & 1 deletion boost/network/protocol/http/client/pimpl.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,11 +71,12 @@ struct basic_client_impl
optional<string_type> const& verify_path,
optional<string_type> const& certificate_file,
optional<string_type> const& private_key_file,
optional<string_type> const& ciphers, long ssl_options,
boost::shared_ptr<boost::asio::io_service> service,
int timeout)
: base_type(cache_resolved, follow_redirect, always_verify_peer, timeout,
service, certificate_filename, verify_path, certificate_file,
private_key_file) {}
private_key_file, ciphers, ssl_options) {}

~basic_client_impl() {}
};
Expand Down
10 changes: 8 additions & 2 deletions boost/network/protocol/http/client/sync_impl.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ struct sync_client
optional<string_type> verify_path_;
optional<string_type> certificate_file_;
optional<string_type> private_key_file_;
optional<string_type> ciphers_;
long ssl_options_;
bool always_verify_peer_;

sync_client(
Expand All @@ -53,7 +55,9 @@ struct sync_client
optional<string_type>(),
optional<string_type> const& verify_path = optional<string_type>(),
optional<string_type> const& certificate_file = optional<string_type>(),
optional<string_type> const& private_key_file = optional<string_type>())
optional<string_type> const& private_key_file = optional<string_type>(),
optional<string_type> const& ciphers = optional<string_type>(),
long ssl_options = 0)
: connection_base(cache_resolved, follow_redirect, timeout),
service_ptr(service.get() ? service
: make_shared<boost::asio::io_service>()),
Expand All @@ -63,6 +67,8 @@ struct sync_client
verify_path_(verify_path),
certificate_file_(certificate_file),
private_key_file_(private_key_file),
ciphers_(ciphers),
ssl_options_(ssl_options),
always_verify_peer_(always_verify_peer) {}

~sync_client() {
Expand All @@ -79,7 +85,7 @@ struct sync_client
typename connection_base::connection_ptr connection_;
connection_ = connection_base::get_connection(
resolver_, request_, always_verify_peer_, certificate_filename_,
verify_path_, certificate_file_, private_key_file_);
verify_path_, certificate_file_, private_key_file_, ciphers_);
return connection_->send_request(method, request_, get_body, callback,
generator);
}
Expand Down
13 changes: 9 additions & 4 deletions boost/network/protocol/http/policies/async_connection.hpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,13 +42,15 @@ struct async_connection_policy : resolver_policy<Tag>::type {
optional<string_type> const& certificate_filename,
optional<string_type> const& verify_path,
optional<string_type> const& certificate_file,
optional<string_type> const& private_key_file) {
optional<string_type> const& private_key_file,
optional<string_type> const& ciphers, long ssl_options) {
pimpl = impl::async_connection_base<
Tag, version_major,
version_minor>::new_connection(resolve, resolver, follow_redirect,
always_verify_peer, https, timeout,
certificate_filename, verify_path,
certificate_file, private_key_file);
certificate_file, private_key_file,
ciphers, ssl_options);
}

basic_response<Tag> send_request(string_type const& method,
Expand All @@ -72,7 +74,9 @@ struct async_connection_policy : resolver_policy<Tag>::type {
optional<string_type>(),
optional<string_type> const& verify_path = optional<string_type>(),
optional<string_type> const& certificate_file = optional<string_type>(),
optional<string_type> const& private_key_file = optional<string_type>()) {
optional<string_type> const& private_key_file = optional<string_type>(),
optional<string_type> const& ciphers = optional<string_type>(),
long ssl_options = 0) {
string_type protocol_ = protocol(request_);
connection_ptr connection_(new connection_impl(
follow_redirect_, always_verify_peer,
Expand All @@ -81,7 +85,8 @@ struct async_connection_policy : resolver_policy<Tag>::type {
this, boost::arg<1>(), boost::arg<2>(), boost::arg<3>(),
boost::arg<4>()),
resolver, boost::iequals(protocol_, string_type("https")), timeout_,
certificate_filename, verify_path, certificate_file, private_key_file));
certificate_filename, verify_path, certificate_file, private_key_file,
ciphers, ssl_options));
return connection_;
}

Expand Down
Loading